Create IAM Policies
- Shirly Tsang
Analytics
In order to run the Lambda script, the script must have permission to interact with the varying AWS components that are called. To give permissions to the Lambda script, perform the following steps:
Input IAM into the search bar located at the top of the AWS interface.
Locate and click on IAM to navigate to the IAM page.
In the IAM navigation pane, click Policies located under the Access management header.
Two policies are required for this integration, first create a policy to allow the Lambda script to interact with the AWS Route 53 DNS Firewall domain list. On the Policies page, click Create Policy located on the top right of the page.
On the Create Policy page, click the JSON button.
Copy the following JSON code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53resolver:CreateFirewallRule",
"route53resolver:CreateFirewallRuleGroup",
"route53resolver:CreateFirewallDomainList",
"route53resolver:ListFirewallRules",
"route53resolver:ListFirewallDomains",
"route53resolver:GetFirewallDomainList",
"route53resolver:UpdateFirewallDomains",
"route53resolver:GetFirewallRuleGroup",
"route53resolver:DeleteFirewallDomainList",
"route53resolver:ListFirewallDomainLists",
"route53resolver:ImportFirewallDomains"
],
"Resource": "*"
}
]
}
Replace all code in the JSON text box with the code copied from the previous step.
Click the Next button located on the bottom right of the page.
On the Review policy page, perform the following steps:
Give the policy a Name.
(Optional) If desired, give the policy a Description.
(Optional) If desired, add tags via the Add tag button.
Click the Create policy button located on the bottom right of the page to confirm the creation of the Policy.
Now create a second policy to allow the Lambda script to interact with the S3 bucket. On the Policies page, click Create Policy located on the top right of the page.
On the Create Policy page, click the JSON button.
Copy the following JSON code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::name_of_bucket/*"
}
]
}
Replace all code in the JSON text box with the code copied from the previous step.
On line 18, remove the text ‘name_of_bucket’, and replace it with the name of the bucket you created on pages 50-51. Note, In the example screenshot the name of my bucket is ‘r53-b1td-bucket‘, without quotations.
Click the Next button located on the bottom right of the page.
On the Review policy page, perform the following steps:
Give the policy a Name.
(Optional) If desired, give the policy a Description.
(Optional) If desired, add tags via the Add tag button.
Click the Create policy button located on the bottom right of the page to confirm the creation of the Policy.
In the IAM navigation pane, click Roles located under the Access management header.
On the Roles page, locate and click the role that has been automatically created for your lambda function. Note the role should contain the Lambda function’s name in it. In the example screenshot, the Role name is Tide-R53-Integration-role-dfz32r2lc.
On the role’s Summary page, click the Add permissions button, then click the Attach policies button located in the list that is revealed.
Locate the two policies created earlier in this section. Click the checkbox associated with both Policies.
Click Add permissions to confirm the attaching of the two policies.
